Web Filtering: An In-Depth Look
What is Web Filtering?
A web filter is a software application that screens incoming web pages and then either grants or denies permission to view the content. To determine whether content should be displayed or not, a web filter checks the content and its origin against a set of predefined rules.
Organizations use web filtering to prevent users from accessing web content like spyware and viruses, as well as content inappropriate for the workplace. The goal of web filtering is to improve productivity, reduce liability, and protect the corporate network against web-based threats.
A web filtering solution can provide a wide range of capabilities, in addition to the basic filtering service. Notable features include reporting capabilities that analyze traffic, soft blocking that can display warnings before denying access, and an overriding functionality that lets administrators unblock pages.
This is part of our series of articles about browser virtualization.
Why is Web Filtering Important?
Here are a few ways your organization can benefit from web filtering technology.
Reduced Malware Infections
By blocking access to known bad sites with a high risk of malware or malicious activity, you can protect your data and users before malicious payloads are introduced. Web filtering can significantly limit threats, reducing the need for responding to malware alerts and performing maintenance work to clean employee endpoints.
Modern web filtering systems are highly effective at preventing malicious software from reaching your network. In addition to restricting access to entire domains, firewalls with web content filtering systems can also check and scan individual web pages to identify potential threats.
Protection Against Exploit Kits
While network security technologies continue to evolve, hackers are also developing smarter ways to illegally access data and networks. Exploit kits contains code specifically designed to attack web browser vulnerabilities, through browser extensions and plugins.
When users unknowingly visit malicious URLs, they may cause an exploit kit to be deployed, which exploits vulnerabilities in their browser or underlying operating system. Vulnerabilities could enable the attacker to download malware to the user’s device, hijack sessions and credentials, and more. Content filters can effectively identify exploit kits and block access before payloads are downloaded to the user’s device.
Unchecked access to social media, video, news sites, or other web content unrelated to work activity, can distract employees and reduce productivity. A web filtering solution provides a way to restrict access to certain websites users do not need to perform their jobs. Each company can establish a policy determining what type of content is or is not appropriate for employees to consume during work time or on work devices.
Minimized Company Liability
Organizations that actively monitor employee web use can avoid the dangers of Internet abuse. Your organization has a responsibility to prevent employees from performing inappropriate, harmful or illegal activities online, including:
- Posting offensive content on blogs and social media
- Posting discriminatory or vulgar offensive content
- Downloading pirated content
- Accessing materials not appropriate for a work environment
- Accessing content that is illegal under local laws
While web filtering cannot eliminate all these risks, it can dramatically reduce them, and also provide the tools to identify and intervene if employees are engaging in problematic activity.
Content Filtering Methods
There are many different methods for web filtering at work, and most solutions combine them.
Whitelists and Blacklists
Blacklists are used to block access to specific domains and URLs through third-party or user-defined blacklists. Whitelists are always used to allow access to specific URLs or domains, optionally blocking all other content for users.
Related content: read our guide to application whitelisting (coming soon)
Category filtering is the easiest way to filter content. Web filtering solutions assign websites to categories based on their content. System administrators can use check boxes in the web filtering solution’s configuration UI to select categories of content to block. Commonly blocked categories include adult websites, gambling, games, dating, social media, news, and webmail.
Some web filters perform web content analysis to detect specific keywords or web content, including inappropriate images, and assign a score to each URL. Thresholds can be set for individual users, departments, or the entire organization, and when that threshold is exceeded, the web page or website is blocked.
DNS Based Web Filtering
DNS-based web filtering blocks web content at the Domain Name System (DNS) level. It can block access to websites early on, when a user tries to connect to the website and the browser attempts to resolve its domain name using DNS. DNS-based filtering can prevent the browser from connecting the site, and display a warning message to the user.
In a DNS-filtering system, the organization uses the DNS server of a third-party service provider. The service provider maintains a database of classified websites and web pages. when a DNS lookup is performed, it works as follows:
- If the user tried to visit a website that is allowed by the filtering policy, and is not malicious, they are redirected to the appropriate IP address
- If the website is malicious, suspicious, or blocked by the filtering policy, the user is forwarded to a local IP address hosting the DNS blocking page, to notify the user that the content is blocked
The process does not affect browsing speed, and end-users are typically not aware they are browsing through a filtering system. Access attempts to the website are recorded through DNS logs, so administrators can monitor access attempts and take appropriate action.
How Do DNS Filtering Services Work?
When browsing the web on a corporate network, all DNS queries are sent to the DNS resolver. A specially configured DNS resolver acts as a filter, by denying query resolution for specific domains tracked in a block list, and can prevent users from accessing these domains. DNS filtering services can also use whitelists instead of blacklists.
When an employee attempts to visit a malicious URL, before the browser loads the website, it first queries the company’s DNS resolver. If the malicious website is on the DNS resolver’s blacklist, the resolver blocks the request, and prevents the malicious website. This can prevent a majority of phishing attacks.
Blacklists and whitelists can be defined by domain name or IP. If the former, the resolver does not resolve domains listed on its blacklist. If the latter, it resolves all domains, but if the resulting IP is blacklisted, it does not return it to the user’s browser.
DNS Filtering Considerations
Like any ad hoc solution, FNS filtering cannot provide full coverage. However, you can encompass a lot of ground by using a solution that provides three layers of DNS filtering, including:
- IP addresses—botnets and other servers usually leverage custom application protocols to perform malicious activities. To protect against these attacks you need to implement IP address blocking.
- Domains—to protect against attacks that perform malicious activities on non-web protocols, such as SMTP, you need to implement full domain name blocking.
- URLs—to defend against malicious content which is hosted on content delivery networks (CDNs) or a file-sharing system, you need to implement URL blocking because.
Proxy filters (or proxy servers) are software or machine components that serve as middlemen between a client and servers.
A proxy filter hides the client’s identity and location. Users accessing a server via a proxy trick the server into believing it performs a request made by the proxy and not the user.
Here are several use cases for proxy filtering:
- Restricting access to specific sites within the network
- Getting around network restrictions
- Accessing content available in other regions
It is important to note that a proxy filter bypasses web filters. A user can use a proxy to access restricted websites.
Pros and Cons of a Proxy Server
Here are several common advantages of using a proxy server:
- Increased privacy—of Internet users. To achieve this, the proxy server conceals the IP address of the user and tricks the server into seeing a single computer instead of multiple clients.
- Blocking malicious sites—in this case, the proxy server is used as a content filter, which blocks access to inappropriate or malicious websites.
- Site caching—a proxy server can cache (save) a copy of a frequently visited site and then directly serve it to the user. Caching ensures users quickly gain access to content.
- Bypass restrictions—a proxy server can help users bypass restrictions and gain access to content that is only available to certain regions.
Here are several limitations of using a proxy server:
- Slower speeds—since a proxy server mediates between the server and the client, the proxy becomes an additional layer through which traffic flows. This may slow down the load time of non-cached content.
- No encryption—proxy servers usually do not encrypt the traffic. This might expose the user (and potentially also the network) to third-party threats.
- Server logging—since the entire traffic of the user flows through the proxy, the server can log the Internet history of the user. Since there is no encryption, the privacy and security of the users are at risk of being exposed.
Browser-Based Web Filtering
Another way to improve security for web users is to filter content at the browser level. There are several approaches to browser-based filtering.
Isolated or Virtual Browser
An isolated browser, also known as virtual browser, is a browser running on the end-user’s machine, but isolated within a virtual machine or virtual appliance. Running the browser in an isolated environment means that security threats cannot affect the underlying device.
It also provides more control over content filtering, making it possible to block certain content, and whitelist or blacklist domains and URLs.
Learn more in our detailed guides to:
Remote browser isolation (RBI) involves running browsers as a remote, cloud service, and allowing users to access the remote browser from their local device. Content from the remote browser can either be visually streamed using “pixel pushing”, or reconstructed in a local browser, after stripping content that might constitute a security threat.
Both techniques improve security compared to unprotected local browsers, but each has challenges both for the user and the organization operating the remote browser solution.
Learn more in our detailed guide to remote browsers.
More Than Just Web Browsing Security with Hysolate
Hysolate is more than just a remote virtual browser. Hysolate isolates your entire OS environment, so your team can get their jobs done. Within Hysolate users can access untrusted websites, applications, documents and even external applications like USBs and printers in an isolated “risky zone”, without introducing malicious threats to their corporate or sensitive data. IT admins can save time and resources by reducing web filtering and whitelisting sites and applications, and users can be more productive.
Hysolate sits on user endpoints, eliminating UX issues like lag and latency, even with more resource-intensive applications, but it also comes with full admin management from the cloud. That means that admins can deploy Hysolate at scale across their company, including different settings for different teams, and can also wipe a Workspace if it contains malicious activity, or if it is no longer needed.
Want to try out Hysolate for yourself? Try Hysolate Free here.